Spamvertised Intuit themed emails lead to Black Hole exploit kit

Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they redirect users to a Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.

More details:

Screenshot of the spamvertised Intuit themed malicious email:

Upon clicking on the links found in the email, users are exposed to the following bogus “Page loading…” page:

Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. The sample is detected by 29 out of 41 antivirus scanners as Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B

Upon execution, the sample phones back to renderingoptimization.info – 87.255.51.229, Email: pauletta_carbonneau2120@quiklinks.com on port 443.